Package com.broadleafcommerce.auth.user.autoconfigure

Class AuthorizationServerProperties

  • @Validated
@ConfigurationProperties("broadleaf.auth.security")
public class AuthorizationServerProperties
extends Object
    Author:
    Phillip Verheyden (phillipuniverse), Jeff Fischer, Nick Crum (ncrum)

    • Constructor Detail

      • AuthorizationServerProperties

        public AuthorizationServerProperties()

    • Method Detail

      • isUseRedirectUriHost

        @Deprecated
public boolean isUseRedirectUriHost()
        Deprecated.
        This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.

        Note, when false, it may be necessary to configure a ForwardedHeaderFilter in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does set X-FORWARDED-* headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supports X-FORWARDED-* headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem.

      • getPrefixedDomainWhitelist

        public String[] getPrefixedDomainWhitelist()
        If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via the Application.getIdentifierType() of ResolutionIdentifierType.DOMAIN_PREFIX.

      • getLoginPathOrUrl

        public String getLoginPathOrUrl()
        Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed.

      • getGlobalDomainWhitelist

        public Set<String> getGlobalDomainWhitelist()
        If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names (e.g., all of global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

      • getGlobalPrefixWhitelist

        public Set<String> getGlobalPrefixWhitelist()
        If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain name prefixes (e.g., global in global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

      • setUseRedirectUriHost

        @Deprecated
public void setUseRedirectUriHost​(boolean useRedirectUriHost)
        Deprecated.
        This property has been deprecated as the ForwardedHeaderFilter should be used in all circumstances to correctly determine the redirect URI. When it is used, the requests will automatically be redirected to the forwarded host/path. Use the same host from the provided successful login redirect uri. This facilitates a common domain for authorize, login, and application, if desired. Redirect Uris are always validated against a white list.

        Note, when false, it may be necessary to configure a ForwardedHeaderFilter in Spring Security configuration to accommodate any gateway or docker request manipulation occurring before the request reaches this authentication provider. For example, in the reference implementation, the auth server is routed through the gateway server. The gateway server does set X-FORWARDED-* headers that the ForwardedHeaderFilter will catch and use to setup the incoming request correctly so that saved requests end up routing to the appropriate location when needed. In the same vein, if you have this auth server situated behind a load balancer that supports X-FORWARDED-* headers, you can make sure the original host is honored here. It is for this reason that the default sample implementation of the auth server configures the ForwardedHeaderFilter, since the assumption is that it's receiving requests through a Spring Cloud Gateway instance that is also part of our reference implementation ecosystem.

      • setPrefixedDomainWhitelist

        public void setPrefixedDomainWhitelist​(String[] prefixedDomainWhitelist)
        If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names that can be used in conjunction with subdomains registered for applications via the Application.getIdentifierType() of ResolutionIdentifierType.DOMAIN_PREFIX.

      • setLoginPathOrUrl

        public void setLoginPathOrUrl​(String loginPathOrUrl)
        Either the path portion only to the login page (e.g. /login), or the absolute url to the login page (e.g. https://security.server.com/login. If use-redirect-uri-host is true, then this should be the login path only, since the system will be dynamically building the login form url. Otherwise, this value can be a full URL or relative path as needed.

      • setGlobalDomainWhitelist

        public void setGlobalDomainWhitelist​(Set<String> globalDomainWhitelist)
        If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain names (e.g., all of global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

      • setGlobalPrefixWhitelist

        public void setGlobalPrefixWhitelist​(Set<String> globalPrefixWhitelist)
        If a tenant enabled installation is in place (i.e. broadleaf.auth.data.tenant.sync.active = true), this list serves to declare the possible domain name prefixes (e.g., global in global.myCompany.com) that can be used to validate a requested redirect uri that represents a global admin login.

      • canEqual

        protected boolean canEqual​(Object other)

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class Object